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FOREWORD 


At the time of this writing, the events during the 
2016 presidential election campaign have focused in¬ 
tense attention on the dangers of hostile cyber and in¬ 
formation operations by foreign powers. The legality 
under international law of this kind of interference in 
another state's information space has been the subject 
of long discussion, both bilaterally between the United 
States and other major cyber powers, and internation¬ 
ally at the United Nations (UN) and elsewhere. 

In this Letort Paper, completed in late 2015, British 
researcher Keir Giles provides a guide to the various 
and conflicting trends in this debate. As a long-term 
scholar of the Russian approach to cyber policy and 
legality in cyberspace, Giles places the discussion, and 
U.S. concerns, in an international context. In particular, 
he explains the deep ideological divides on the correct 
course of action to take between the United States and 
its allies on the one hand, and a large group of nations 
led by Russia and China on the other. 

Mr. Giles's previous work has highlighted the 
broad interpretation and application of "cyber pow¬ 
er" by adversarial actors, including the potential for a 
range of hostile information activities that the United 
States would classify in entirely different domains. 
With this in mind, the Strategic Studies Institute rec¬ 
ommends this Letort Paper not only to policymakers 
and researchers focusing on law and policy in the cy¬ 
ber field, but also more broadly to those engaged in 
protecting the United States against other forms of in¬ 
formation operations including subversion, destabili¬ 
zation, and disinformation. As is shown in this Letort 
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Paper, legislative initiatives by potential adversaries 
provide important insights into the conceptual frame¬ 
work within which they consider and plan unfriendly 
actions. 


DOUGLAS C. LOVELACE, JR. 
Director 

Strategic Studies Institute and 
U.S. Army War College Press 
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SUMMARY 


This Letort Paper provides an overview of moves 
toward establishing international norms and the rule 
of law in cyberspace, and the potential for establishing 
further internationally accepted and enforceable stan¬ 
dards of behavior. Completed in late 2015, it reflects 
the state of play in these areas at that time. It especially 
highlights opposing views on the nature of legality in 
cyberspace, and how and where those views are gain¬ 
ing global support. 

The United States believes, in broad terms, that ac¬ 
tivities in cyberspace require no new legislation, and 
that existing legal obligations are sufficient. However, 
a large number of other states led by Russia and Chi¬ 
na believe that new international legal instruments 
are essential in order to govern information security 
overall, including as expressed through the evolving 
domain of cyberspace. Russia in particular argues that 
the challenges presented by cyberspace are too urgent 
to wait for customary law to develop as it has done in 
other domains; instead, urgent action is needed. 

As well as disagreement on new legislation, there 
is a fundamental schism in international discussion 
on what exactly should constitute illegal behavior in 
cyberspace. Russian and Chinese information secu¬ 
rity policies express a holistic approach to counter¬ 
ing information threats, particularly by recognizing 
the problem of harmful content, as well as the strict 
"cyber" issue of harmful code or "cyber weapons." 
Nevertheless, the previous basic Euro-Atlantic as¬ 
sumption that freedom of expression and free move¬ 
ment of information online are sacrosanct has now 
been challenged in some quarters, in the face of their 
exploitation by Russia and the Islamic State (IS). Hos- 
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tile information activities by both actors have brought 
clarity to the concerns over subversive content that 
were previously expressed by Russia and China but 
disavowed by the United States. 

Another keystone element of the ongoing legal de¬ 
bate is whether, when, and to what extent the Law Of 
Armed Conflict (LOAC) can apply to hostile actions 
carried out through cyberspace, and hence the sub- 
topic of what precisely constitutes an "armed attack" 
online. This Letort Paper provides an overview of the 
current state of the debate and progress toward inter¬ 
national agreement, including a discussion of the Tal¬ 
linn Manual on the International Law Applicable to Cyber 
Warfare, and its merits and limitations. 

Further sections of this Letort Paper discuss exist¬ 
ing rules and agreements governing cyber activity, 
including attempts to control cyber weapons by the 
Wassenaar Arrangements — an international regime 
regulating exports of conventional weapons and 
sensitive dual-use items and technologies with mili¬ 
tary end-uses —and the development of a range of 
international confidence building measures (CBMs) 
in various international organizations, including the 
Organization for Security and Co-operation in Europe 
(OSCE), the Organization of American States (OAS), 
the Shanghai Cooperation Organization (SCO), and 
more. Besides CBMs, several other codes of norms 
and good behavior have been constructed in region¬ 
al agreements and are reviewed here, including the 
Council of Europe Convention on Cybercrime (the 
Budapest Convention). A further section discusses 
bilateral agreements and treaties, including those be¬ 
tween the United States and Russia, and the United 
States and China. 

This Letort Paper concludes with policy recom¬ 
mendations, including the key conclusion that adver- 
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saries are framing their cyber offensive potential in 
an entirely different mental construct than that which 
applies in the United States and its Western allies. 
The approaches of key potential state adversaries to 
legitimation or prohibition of online activity provides 
important clues to how they see this activity in terms 
of their own behaviors. As such, they provide a useful 
aid in planning for, countering, and responding to the 
wide range of threats to U.S. security that state and 
nonstate adversaries can present using the Internet. 
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PROSPECTS FOR THE RULE 
OF LAW IN CYBERSPACE 


INTRODUCTION 

The application of international law and legal 
principles in cyberspace is a topic that has caused con¬ 
fusion, doubt, and interminable discussions between 
lawyers since the earliest days of the internationaliza¬ 
tion of the Internet. The still unresolved debate over 
whether cyberspace constitutes a fundamentally new 
domain that requires fundamentally new laws to gov¬ 
ern it reveals basic ideological divides. On the one 
hand, the Euro-Atlantic community led by the United 
States believes, in broad terms, that activities in cyber¬ 
space require no new legislation, and existing legal 
obligations are sufficient. On the other, a large num¬ 
ber of other states led by Russia and China believe that 
new international legal instruments are essential in 
order to govern information security overall, includ¬ 
ing those expressed through the evolving domain of 
cyberspace. 1 

Analogies for the current state of regulation in 
cyberspace are commonplace. The domain has been 
compared to the early days of highway regulations, 
or to maritime law. In each of these cases, the norms 
that were based on trust were eventually formed into 
customs, and were finally codified as law. Russia in 
particular argues that the challenges presented by 
cyberspace are too urgent to wait for customary law 
to develop as it has done in other domains; instead, 
urgent action is needed. 

The following Letort Paper will provide an over¬ 
view of moves toward establishing norms and the rule 
of law in cyberspace, and the potential for establishing 
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further international norms of behavior. It will also 
highlight opposing views on the nature of legality in 
cyberspace; and how and where those views are gain¬ 
ing global support. 

It will be shown that despite persistent and long¬ 
term campaigning by a number of states for new 
binding international agreements, at present the most 
successful initiatives are primarily establishing norms 
on proper behavior through commercial interaction, 
and building confidence through bilateral confidence 
building agreements. 

TO LEGISLATE, OR NOT TO LEGISLATE 

Russian senior officers agree with Admiral Mi¬ 
chael Rogers, Director of the National Security Agency 
(NSA) and head of U.S. Cyber Command, that deter¬ 
rence in cyberspace faces serious challenges, 2 and that 
analogies with nuclear deterrence are flawed. How¬ 
ever, unsurprisingly, they disagree with his proposed 
remedy of enhancing deterrence by increasing the 
United States' offensive capabilities. With escalation 
of cyber conflict likely, proliferation easy, and public 
attribution challenging, one Russian proposal is for 
a binding international agreement under the aegis of 
the United Nations (UN) that bans hostile actions in 
cyberspace altogether. 3 

This reflects a fundamental Russian objection to the 
concept of international law already applying to cyber 
conflict: the argument that the militarization of infor¬ 
mation space and cyber conflict should be prevented 
outright, rather than regulated. At the same time, 
Russia has also persistently proposed that technical 
means be developed for the recognition of facilities 
in cyberspace that are protected under international 
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humanitarian law, such as hospitals and medical facil¬ 
ities. Proposals range from simple top-level domains 
that are designated as protected, to an industry-wide 
set of recognized domain extensions for protective 
marking of validated resources, or even a simple reg¬ 
ister of Internet Protocol (IP) addresses. 

In this case and others, close examination of Rus¬ 
sian proposals often swiftly uncovers points that ren¬ 
der them either unworkable in practice, or unaccept¬ 
able to Western sensitivities. 4 Foremost among these 
is the assertion by Russia, China, and a wide range of 
other nations that content must be regulated, in addi¬ 
tion to code. 

HARMFUL CODE OR HARMFUL CONTENT 

As well as disagreement on the need, or lack of 
a need, for new legislation, there is a fundamental 
schism in international discussion on what exactly 
ought to constitute illegal behavior in cyberspace. 

Russian and Chinese information security policies 
express a holistic approach to countering information 
threats, particularly by recognizing the problem of 
harmful content as well as the strict "cyber" issue of 
harmful code. 

Until very recently, Western theorists and policy¬ 
makers on cyber issues were, by contrast, broadly un- 
receptive to the notion of harmful content. The notion 
that free expression of opinion constitutes a danger 
was seen as something wild and exotic, and rejected a 
priori, while freedom of expression and free movement 
of information across borders was held as sacrosanct. 

This schism became clear at the World Confer¬ 
ence on International Telecommunications (WCIT) 
in Dubai in December 2012. In the wake of the Arab 
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Spring, the Internet was perceived by Russia as a 
threat to domestic peace and power structures, upon 
which Russia actively promoted international norms 
to guide states' behavior in cyberspace; a call that 
stems from the notion that the virtual borders in cy¬ 
berspace can correspond with physical state borders, 
thereby reaffirming the principles of sovereignty and 
non-intervention. 5 Russia went to WCIT with such a 
security-driven Internet governance agenda, propos¬ 
ing a state-supervised Internet. 

The extent of support for the viewpoint champi¬ 
oned by Russia from those countries that share similar 
concerns about the cyberthreat took the Euro-Atlantic 
consensus by surprise. Although Russian initiatives 
have been mostly discounted or ignored in the West, 
this is not their only audience, and Russia has been 
busy gathering support from countries not usually 
considered cyber powers, but that have a perfectly 
valid vote in fora such as the International Telecom¬ 
munication Union (ITU) or the UN itself. This is pos¬ 
sible because, while many of the proposals appear 
counter-intuitive, outdated, unworkable or otherwise 
unacceptable to a Western audience, they appear com¬ 
forting and reasonable in those other parts of the world 
that see a potential threat in the unrestricted circula¬ 
tion of information, including hostile and damaging 
information, both domestically and internationally. 

When Giuseppe Abbamonte of the European Com¬ 
mission's Directorate General for Communications 
Networks, Content and Technology (DG CONNECT) 
stated publicly that a key part of European Union 
(EU) cybersecurity strategy is: "engaging with third 
parties and making sure that we export our values 
[emphasis added]," many of those hearing him would 
not have taken into account that there are substan- 
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tial parts of the world that do not wish to have their 
values exported to them from Brussels 6 — and in fact, 
precisely this kind of export is construed as a direct 
information security threat in Russia's Information 
Security Doctrine. 7 

UKRAINE AND ISLAMIC STATE (IS) 

The basic U.S. and Western assumption that free¬ 
dom of expression and free movement of information 
online are untouchable has now been questioned, in 
the face of two distinct challenges to Western societies: 
Russian information war activities centered around 
the conflict in Ukraine; and the Islamic State (IS), with 
its own specific aims. 

In both cases, a key element of the challenge is 
subversive disinformation and propaganda produced 
by "a multi-tiered online media operation in which a 
number of production units . . . produce content con¬ 
sistent with the core . . . message." 8 The result of both 
is that, for the first time in generations, the West has 
been forced to reconsider the application of the lib¬ 
eral principles of freedom of expression in a practical 
applied context —not on the basis of idealism, but in 
dealing with a problem that is real and immediate. 

In the case of Russia, cyber activities in the broad 
sense are critical to offensive disinformation cam¬ 
paigns, whether establishing sources for disinforma¬ 
tion by setting up false media outlets online, 9 or us¬ 
ing social media to address targets of opportunity 
for subversion and destabilization efforts apparently 
unrelated to events in Ukraine. 10 These activities are 
augmented by the ubiquitous activities of trolls and 
hots that exploit specific features of the relationship 
between traditional and social media in order to both 
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plant, disseminate, and lend credibility to disinforma¬ 
tion. 11 They combine for effect with a broad range of 
other measures, such as Russian propaganda outlets 
being coy about their affiliation in order to seduce 
viewers in the United States and elsewhere, 12 links 
with far-right political parties to garner direct politi¬ 
cal influence, 13 and old-school subversive measures 
such as: "NGO [nongovernmental organization] di¬ 
plomacy, or establishing and assisting pro-Russian 
youth groups, minority and separatist organizations, 
and think tanks abroad." 14 The result is that externally, 
the multiplicity of deceptive narratives put forward 
by Russian information campaigns find fertile ground 
among populations that are not well informed on the 
realities of history, geography, and the issues at stake 
in Ukraine. 

IS's active social media presence has prompted 
private companies like Twitter to take down social 
media accounts and block hashtags. These moves 
have received broad popular support, but have also 
been criticized by online freedom advocacy groups 
such as the Electronic Frontier Foundation. Twitter 
and similar corporations are accused of opacity on 
their policy of taking terrorist content offline, includ¬ 
ing the reporting threshold for triggering removal, 
and whether they themselves are actively searching 
for terrorist accounts —and if so, according to what 
criteria. 15 Facebook is criticized for not publicly releas¬ 
ing data on U.S. Government censorship requests. 16 

This debate continues. In March 2015, senior mem¬ 
bers of the House Foreign Affairs Committee sent a 
bipartisan letter to Twitter urging them to increase 
efforts to combat groups like the IS. "Companies 
need to ensure that their social media services are 
not being hijacked for terrorist use [emphasis add- 
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ed]." 17 The request was met with understanding, but 
was also countered with the argument they wish to 
preserve: "the ability of users to share freely their 
views — including views that many people may dis¬ 
agree with or find abhorrent [emphasis added]." 18 As 
an international company, Twitter must necessarily 
deal with the implication that complying with one 
government's request to censor all pro-IS users could 
lend support to another, less liberal government's 
requests to censor all anti-government users. 

In an example of a de facto norm being outsourced 
to the private sector —since the U.S. Government and 
other countries have, in effect, delegated the task — cor¬ 
porations have developed their own codes of conduct 
for the content they will agree to host, to remove, and 
for their capabilities to censor objectionable content. 19 
Although it has recently come to prominence, this is 
not a new phenomenon. It echoes early debates from 
the 1990s onward concerning where responsibility 
lies for the availability of illegal content found online: 
with the user, the service provider, or the state. 

However, the result is that different private ac¬ 
tors, applying different codes and standards, engag¬ 
ing in private forms of censorship on their own behalf 
have generated confusion and shown inconsistency. 
Google's policy directors are opposed to blanket cen¬ 
soring of IS content on its search engine and video plat¬ 
form YouTube, despite a stated desire not to become 
the distribution channel of terrorist ideology. Google 
states: "Enforced silence is not the answer. Drown¬ 
ing out the harmful ideology with better messages, 
with reasonable messages, is the better way [empha¬ 
sis added]." 20 This too reflects a broader debate: some 
proponents of censorship have suggested a holistic 
government-initiated counterinsurgency tactic online, 
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by increasing censorship and marginalizing IS ; 21 while 
others have suggested copying Chinese and Russian 
propaganda tactics, by saturating the web with coun¬ 
ter narratives, and drowning IS propaganda in a sea of 
fake propaganda . 22 Neither approach would have ap¬ 
peared acceptable just a few years previously, before 
the threat of deliberate harmful content distribution 
became undeniable. 

David Fidler, senior fellow of the Council on For¬ 
eign Relations, has proposed solutions that involve 
transparent cooperation of the U.S. Government with 
private companies. He suggests that the U.S. Govern¬ 
ment should publicly issue a presidential directive set¬ 
ting out the circumstances under which it will request 
that private companies take down content. He also 
pushes for private companies to explain their policies 
and subject them to review by independent experts, 
and for the government's Privacy and Civil Liberties 
Oversight Board to oversee government requests and 
report on them to Congress and the public . 23 

While the idea of harmful content, in the way Rus¬ 
sia and China perceive it, is no longer outrageously 
unacceptable, the balance is yet to be found between 
developing an effective domestic counter-subversion 
strategy while not setting a dangerous precedent of 
censoring content online. If mishandled, the response 
to online subversion by IS and Russia could provide 
the means for abuse within the United States as well 
as other countries, to censor not just terrorist content 
but also dissenting opinions in the manner of authori¬ 
tarian states that use an "extremist" label to censor 
anti-government social media accounts. 

Despite the clear and growing evidence of chal¬ 
lenges in this field, it can be assumed that the United 
States will not wish to follow the Chinese and Russian 
lead on restrictions of civil liberties. 
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The Law of Armed Conflict (LOAC). 


A keystone element of the ongoing legal debates 
revolves around whether, when, and to what extent 
LOAC can apply to hostile actions carried out through 
cyberspace, and hence the sub-topic of what precisely 
constitutes an "armed attack" online. A wealth of in¬ 
formed legal commentary on this topic is available, 
and this Letort Paper will not replicate it. Instead, it 
will provide an overview of the current state of the 
debate and progress toward international agreement. 

UNITED NATIONS GROUP OF 
GOVERNMENTAL EXPERTS (UNGGE) 

The UNGGE on Developments in the Field of In¬ 
formation and Telecommunications in the Context of 
International Security is the only UN platform where 
state behavior in cyberspace is discussed. The group 
was also named tactically, to avoid discussion on in¬ 
formation security versus cybersecurity. This was an 
essential step, since some states deliberately avoid any 
use of the term "information security" in official state¬ 
ments because of its negative associations. Even if the 
phrase is the most appropriate one to describe the 
topic under discussion, it has been sufficiently tainted 
by association with the regulatory stance adopted by 
Russia and China in particular, that it is shunned in 
favor of the more acceptable "cybersecurity." 24 

The proposal to establish the group came from 
Russia in 2003, with a remit to "study existing con¬ 
cepts and approaches and analyze current interna¬ 
tional legal provisions relating to various aspects of 
international information security." 25 Since then, the 
group has produced three consensus reports and con- 
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vened again in 2016. After years of stalemate, the 2013 
report appeared to be a breakthrough, affirming a 
consensus that: 

International law, and in particular the UN Charter, is 
applicable, and is essential to maintaining peace and 
stability and promoting an open, secure, peaceful and 
accessible ICT [information and communications tech¬ 
nology] environment . 26 

How exactly the law applied and when, however, 
remained unspecified, and was the subject of further 
debate. 

The 2015 report thus went deeper into the applica¬ 
tion of international law. It did, however, exclude the 
milestone from the previous report: that the UN Char¬ 
ter in its entirety applies in cyberspace. Specifically, 
the authorization of the use of force in self-defense 
against an "armed attack," as described by Article 51 
of the UN Charter, was revoked. 27 According to James 
Lewis, the group's rapporteur and director of the Cen¬ 
ter for Strategic and International Studies' Strategic 
Technologies Program, the proposal was rejected by 
a bloc of nations, including Russia, China, Pakistan, 
Malaysia, and Belarus. The Chinese argument was ap¬ 
parently that they did not want to include reference to 
Article 51, because this would militarize cyberspace. 
According to Lewis, there was also an unspoken con¬ 
cern that the United States would use Article 51 to 
legitimize offensive counteraction for major breaches 
attributed to Chinese and Russian hackers. 28 

Accepting the applicability of LOAC, some states 
fear, will set the circumstances in which a state is justi¬ 
fied in invoking its right to self-defense. However, it 
also risks encouraging the perception that all activity 
not expressly prohibited would be acceptable. 29 
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On the application of international law, the 2015 
UNGGE report outlines which of the principles of the 
UN charter and international law do apply to the use 
of ICTs: 

• State sovereignty, jurisdiction over ICT infra¬ 
structure within their territory, and sovereign 
equality; 

• Settlement of international disputes with peace¬ 
ful means; 

• Refraining from threat or use of force; 

• Respect for human rights and fundamental 
freedom; 

• Non-intervention in the internal affairs of other 
states; 

• States must not use proxies to commit interna¬ 
tionally wrongful acts using ICTs, and should 
seek to ensure that their territory is not used by 
nonstate actors to commit such acts; 

• States must take responsibility for internation¬ 
ally wrongful acts attributable to them under 
international law. The indication that an ICT 
activity was launched or otherwise originates 
from the territory or the ICT infrastructure of 
a state may be insufficient to attribute activity; 
and, 

• International legal principles of humanity, 
necessity, proportionality, and distinction are 
applicable to the use of ICTs. 

The UNGGE did also identify voluntary, non-binding 
norms for responsible state behavior, to create an in¬ 
ternational code of conduct for information security: 

• States should cooperate to increase stability 
and security in the use of ICTs and prevent ICT 
practices that are known to be harmful. They 
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should create a global culture of cybersecurity 
to protect critical information infrastructures 
(capacity building); 

• States should not conduct, or support ICT ac¬ 
tivity that intentionally damages critical infra¬ 
structure; 

• States should not allow their territory to be 
used for, or support internationally wrongful 
acts using ICTs; 

• States should cooperate to exchange informa¬ 
tion, assist each other, prosecute terrorist and 
criminal use of ICTs and implement other co¬ 
operative measures to address such threats; 

• States should respect human rights on the Inter¬ 
net, and the right to privacy in the digital age, 
including the right to freedom of expression; 

• States should ensure the integrity of the supply 
chain so that end users can have confidence in 
the security of ICT products; 

• States should seek to prevent the proliferation 
of malicious ICT tools; and, 

• States should encourage responsible reporting 
of ICT vulnerabilities. 

The power of the group and of these consensus 
reports is limited. Many of the delegate experts are 
not authorized to make national statements on behalf 
of their countries, and the reports have the status of 
non-binding recommendations. The UNGGE advises 
states to give active consideration to these recommen¬ 
dations, and to take them up for further development 
and implementation. 

The 2013 report was subjected to a vote at the UN 
General Assembly, but the consensus required to 
adopt the report as a resolution was not reached. Little 
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further progress was made in the 2015 report, most 
likely because not all the countries with strong inter¬ 
ests in the regulation of cyberspace were involved in 
the drafting of the report. States like India had already 
expressed their discontent with the report before it 
came out, since it was not allowed to contribute an 
expert for the group. This was a simple administrative 
decision rather than deliberate exclusion; India was 
too late responding to the call for nominations, as the 
group is composed on a first come, first served basis. 

The 2015 report was drafted by 20 experts, five 
more than the 15 experts that participated in the 2013 
report. While expanded, the group still is very small in 
size. This limited participation presents both a weak¬ 
ness and a strength of the UNGGE. The small member¬ 
ship allows the group to come to a consensus quickly. 
The participation of the powers wielding a veto in 
the UN Security Council, and an equal geographical 
distribution of participating countries, gives the con¬ 
sensus significance since it unites important differing 
opinions. However, the lack of universal involvement 
of all UN member states means it is not representative 
and thus has no legally binding power. The evolution 
of the work of this group to a UN committee would be 
a slow process. 

Nevertheless, the representative sample of opin¬ 
ions presented within the UNGGE does provide a 
framework for further implementation by regional 
initiatives. For now, reports issued there carry no 
more than moral force. 
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TALLINN MANUAL 


The Tallinn Manual on the International Law Appli¬ 
cable to Cyber Warfare is a handbook created by a group 
of international experts on how LOAC can be appli¬ 
cable in cyberspace. The manual is an initiative by the 
North Atlantic Treaty Organization (NATO) to offer 
guidelines to state legal advisors. 30 

The Tallinn Manual has posited that the general 
principles of international law do apply to cyberspace, 
including jus ad bellum and jus in bello. The manual's 
95 rules define: state responsibility in cyber opera¬ 
tions, applying the principle of prohibition of the 
use of force, the circumstances in which self-defense 
may be invoked, the conduct of parties during cyber 
hostilities, and more. The most important findings as¬ 
sert: "an international armed conflict exists whenever 
there are hostilities, which may include or be limited 
to cyber operations occurring between two states or 
more," and that "cyber operations alone might have 
the potential to cross the threshold of international 
armed conflict," although such conflict triggered sole¬ 
ly in cyberspace has not yet occurred. In the manual, 
the experts confirmed that the instance of Stuxnet, a 
cyberattack on Iranian nuclear facilities with kinetic 
consequences, would have constituted a use of force, 
but did not reach the threshold of an armed attack. 
Under the manual, a cyber operation can be retaliated 
against in self-defense, but only if the conditions of a 
cyber armed attack ("use of force" resulting in serious 
physical injury and damage) are met. 31 

The Tallinn Manual was drafted by a group of law¬ 
yers representing the Euro-Atlantic consensus on law 
in cyberspace, and has not been widely adopted by the 
international community, in part because of the lack 
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of participation by nations from other regions of the 
world. This applies even to France; according to Jean- 
Christophe Noel, of the Policy Planning department 
in the French Ministry of Foreign Affairs, France is not 
in agreement with the provisions of the Tallinn Man¬ 
ual, since there is no concept of pre-emptive defense 
in French law —"the concept is too Anglo-Saxon." 
Instead, France is willing to promote the Shanghai 
Cooperation Organisation (SCO) or the Organization 
for Security and Co-operation in Europe (OSCE), to be 
discussed further in this Letort Paper. 32 

Many experts agree that the development of 
peacetime norms may ultimately be more important 
than establishing how international law applies dur¬ 
ing armed conflict. The majority of current cyber con¬ 
flicts take place far beneath the level of armed conflict, 
and a lack of state practice on the actual use of force 
in cyberspace creates assumptions on how to respond 
without experience in actual situations. 

The follow-on project, known as Tallinn 2.0, con¬ 
tinues this reflection and focuses on the application of 
international law to cyberspace in peacetime. Origi¬ 
nally scheduled to be published in late-2016, it will 
analyze the application of existing laws in the case of 
cyberattacks that are below the threshold of armed 
conflict, and address questions related to attribution 
and possible responses. 

The creation of norms is also deemed more impor¬ 
tant, as well as producing trust through confidence 
building measures (CBMs). The next section of this 
Letort Paper explores the existing rules and ongoing 
development of norms. 
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EXISTING RULES AND AGREEMENTS 


Cyber Weapons. 

In December 2013, signatories of the Wassenaar 
Arrangements — an international regime regulating 
exports of conventional weapons and sensitive dual- 
use items and technologies with military end-uses — 
agreed to impose restrictions on exports of IP network 
surveillance systems and intrusion software in order 
to prevent "cyber proliferation." Restrictions were 
imposed, among others, on "zero-day" vulnerabilities 
that are purchased by governments as well as other 
customers for the purpose of targeted attacks. 33 

In July 2015, the U.S. Bureau of Industry and Secu¬ 
rity (BIS) attempted to implement the Wassenaar Ar¬ 
rangements, proposing a broader set of controls than 
intended in the Wassenaar text. BIS was challenged by 
the cybersecurity industry that had not been properly 
consulted on the specifics of such export controls. 34 
They argued that controls on software deemed mali¬ 
cious can also hurt cybersecurity research, and as a 
consequence, make the Internet less safe. This is be¬ 
cause the same offensive techniques that are devel¬ 
oped to bypass existing computer security measures 
are also used by security researchers to highlight 
weaknesses in order to fix the vulnerable software. It 
became clear that the BIS proposal for implementation 
in effect, amounted to prohibiting the sharing of vul¬ 
nerability research without a license. 35 The proposal 
was promptly withdrawn. 

The EU is also proposing to implement the Was¬ 
senaar Arrangements, with reference to software, but 
has specified in more detail which software and for 
what purposes the export will be controlled. 36 Taking 
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into account that intrusion software and zero-day vul¬ 
nerabilities can have useful and benign application, 
the EU installed safeguards for research purposes, 
preventing ethical hackers from being penalized. Its 
drafting process has encountered less resistance from 
the cybersecurity community, but it is still under scru¬ 
tiny by researchers who vehemently oppose any ex¬ 
port controls on intrusion software. The addition of 
human security in the EU amendments through an EU 
resolution shifts the policy focus to controlling soft¬ 
ware that is detrimental to human rights and freedom 
of expression. 37 

Confidence Building Measures (CBMs). 

The development of a range of international CBMs 
in various international organizations, including the 
OSCE, the Organization of American States (OAS), 
the SCO, and more indicates a shared perception of 
threats and an affinity of threat perception. The chal¬ 
lenge now appears to be expanding these shared 
CBMs beyond regional boundaries, and beyond the 
boundaries of groups of like-minded states. 

CBMs are not legally binding rules, but they can 
often be just as effective in maintaining security and 
trust. They have practical applications, but are also 
the foundation for arriving at cyber norms and fos¬ 
tering responsible state behavior. CBMs prevent or 
reduce the risk of conflict by eliminating the causes 
of mistrust and miscalculation between states —an es¬ 
pecially complex field, given the invisible and unveri- 
fiable nature of many preparations for hostile action 
in cyberspace. 
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This section will provide an overview of the im¬ 
pressive range of CBMs that have already been imple¬ 
mented through the work of international organi¬ 
zations. 

The Organization for Security and Co-operation in Europe 
(OSCE). 

The OSCE developed a groundbreaking set of 11 
voluntary CBMs that were adopted in December 2013 
by its 57 member states. These were: 

• Exchanging views on various aspects of nation¬ 
al and transnational threats to and in the use of 
ICTs; 

• Facilitating cooperation among competent 
national bodies and exchange of information; 

• Consultations in order to reduce the risks of 
misperception, and of possible emergence of 
political or military tension or conflict; 

• Sharing information on measures taken to en¬ 
sure an open, interoperable, secure, and reli¬ 
able Internet; 

• Using the OSCE as a platform for dialogue, ex¬ 
changing best practices, awareness-raising, and 
information on capacity-building; 

• Putting in place modern and effective legisla¬ 
tion to facilitate bilateral cooperation and infor¬ 
mation exchange between competent authori¬ 
ties; 

• Sharing information on national organization, 
strategies, policies, and programs relevant to 
the security of, and use of, ICTs; 

• Nominating a contact point to facilitate perti¬ 
nent communications and dialogue; 
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• Providing a list of national terminology related 
to the security of, and in the use of, ICTs, ac¬ 
companied by an explanation or definition of 
each term; 

• Exchanging views using OSCE platforms and 
mechanisms to facilitate communications re¬ 
garding the CBMs; and, 

• Regular meetings of national experts to discuss 
the information exchanged and explore appro¬ 
priate development of future CBMs. 

More than three-quarters of OSCE participating 
states have already exchanged the specified informa¬ 
tion with other states, and the OSCE is observing and 
encouraging the voluntary implementation of the 
remaining CBMs. A further set of measures is being 
developed, with a focus on cooperative and "stability 
measures," whereby individual states commit to re¬ 
frain from taking certain actions against each other. 38 

The UNGGE 2015 report based its recommended 
CBMs heavily on the 2013 OSCE voluntary measures, 
and in return, the next set of OSCE measures will be in 
line with the recommendations of the UNGGE report. 

77 le Association of Southeast Asian Nations (ASEAN) 
Regional Forum. 

In 2012, the Ministers of Foreign Affairs of the 
ASEAN tasked the ASEAN Regional Forum with the 
promotion of dialogue on confidence-building, stabil¬ 
ity, and risk-reduction measures among its members 
in ensuring cybersecurity. The ASEAN Regional Fo¬ 
rum was also mandated to develop a work plan on ICT 
security, focusing on practical cooperation on CBMs. 
The ASEAN Regional Forum work plan, presented in 


19 


2015, proposes the establishment of an open-ended 
study group on CBMs. The workshops and prelimi¬ 
nary reports that have been produced in support of 
that study group are reportedly also building on the 
OSCE set of CBMs. 

Tlte Organization of American States (OAS). 

The OAS became the first regional body to adopt a 
cybersecurity strategy through approval of their reso¬ 
lution, "Comprehensive Inter-American Strategy to 
Combat Threats to Cyber security," in 2004. This strat¬ 
egy encompassed a number of initiatives aimed at 
strengthening trust between member states. The main 
objectives of the Secretariat are to establish national 
"alert, watch, and warning" groups, creating a net¬ 
work of these Computer Security Incident Response 
Teams (CSIRTs); and to promote a culture and aware¬ 
ness of cybersecurity. 39 

CBMs in the OAS context have been primarily fo¬ 
cused on cybercrime or infrastructure-protection ca¬ 
pacity building initiatives, with the aim of preventing 
states from becoming a safe haven or permissive en¬ 
vironment for cybercriminals. A working group of the 
OAS Committee on Hemispheric Security was tasked 
with the unification of the criteria for reporting confi¬ 
dence- and security-building measures (CSBMs), and 
created a consolidated list in 2009. 40 

The implementation of these measures has been 
delegated to the Inter-American Committee against 
Terrorism (CICTE), the process of the Meetings of 
Ministers of Justice or of Ministers or Attorneys Gen¬ 
eral of the Americas (REMJA), and the Inter-American 
Telecommunication Commission (CITEL). 
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Bilateral and Regional Agreements. 

Several other codes of norms and good behavior 
have been constructed in bilateral and regional agree¬ 
ments. 

Cybercrime: The Budapest Convention. 

The 2001 European Convention on Cyber Crime 
(The Budapest Convention) is the first international 
treaty to address computer and Internet crime, and 
was explicitly intended to increase cooperation 
among nations. The Convention was drawn up by 
the Council of Europe and ratified by 39 countries. 
The Convention identifies certain offences against the 
confidentiality, integrity, and availability of computer 
data and systems as criminal activities. Under these 
offences is understood: 

• Illegal access to data (when infringing security 
measures); 

• The interception of data and interference 
(damaging, deletion, deterioration, alteration 
or suppression of computer data); 

• Access, interception, and interference of 
systems; 

• Creating devices and computer programs 
designed to make the above offences possible; 

• Computer related fraud and forgery; 

• Infringement of copyright; and, 

• Offences in content, related to child 
pornography. 

The signatory countries of the Convention are le¬ 
gally obliged to prevent, investigate, and prosecute 
all these actions. Through the Budapest Convention's 
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Mutual Legal Assistance (MLA) provisions, coopera¬ 
tion has improved and effective measures against cy¬ 
bercrime have been undertaken. 41 The advantages of 
the Convention as a means to resolve conflicts through 
law enforcement have been recognized outside Eu¬ 
rope. Non-EU countries such as Australia, the Do¬ 
minican Republic, Japan, Mauritius, Panama, Canada, 
and the United States are also signatories. 

With the possibility for accession of non-EU coun¬ 
tries to the Convention, the Convention can still grow 
to become a comprehensive international framework 
for all states. Brazil, China, and India; however, have 
argued that a treaty negotiated by Europe is inher¬ 
ently inapplicable to non-European countries, despite 
the fact that non-European countries are already party 
to the Convention, and a large proportion of inter¬ 
national law that applies today stems from negotia¬ 
tions amongst Europeans. 42 Russia in particular, has 
long argued that the Budapest Convention is fatally 
flawed, as its provisions on access to foreign informa¬ 
tion systems violate state sovereignty. This claim was 
rejected in December 2014 by the committee that over¬ 
sees the treaty. 43 Russia also argues, however, that the 
Convention should be replaced with "an entirely new 
document with worldwide application . . . since the 
Convention itself does not allow amendments." 44 

The counter-argument runs that an open-ended 
intergovernmental expert group already exists to con¬ 
duct a comprehensive study on the problem of cyber¬ 
crime, with the possibility of launching negotiations 
on a new cybercrime treaty under UN auspices, but 
this has so far not shown any results. 45 Furthermore, 
a new Treaty is unnecessary when the Budapest Con¬ 
vention has already been tested and approved by 
many countries and can be expanded to the rest of the 
world. 
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European Union (EU). 

The EU Cybersecurity Strategy adopted in 2014 
defines norms of behavior in cyberspace that all stake¬ 
holders should adhere to, following the same prin¬ 
ciples as core EU values. It has put forward proposals 
to fill legislative gaps identified in its National Infra¬ 
structure Strategy (NIS) on national capabilities, coor¬ 
dination in cases of incidents spanning across borders, 
and private sector involvement and preparedness. 

On matters of international security, the EU en¬ 
courages the development of CBMs in cybersecurity 
to increase transparency and reduce the risk of misper¬ 
ceptions in state behavior. The EU does not, however, 
support the creation of new international legal instru¬ 
ments for cyber issues. 46 

The North Atlantic Treaty Organization (NATO). 

NATO's enhanced policy on cyber defense, en¬ 
dorsed by Allied defense ministers in June 2014, con¬ 
firmed that international law applies in cyberspace. 
Therefore, Article 5 of the North Atlantic Treaty on 
collective self-defense can be invoked in case of a cy¬ 
berattack with effects comparable to those of a con¬ 
ventional armed attack. However, Jamie Shea, Deputy 
Assistant Secretary General for Emerging Security 
Challenges at NATO Headquarters, has said that the 
Policy does not set any detailed criteria for the activa¬ 
tion of Article 5, which would have to be decided by 
the Allies on a case-by-case basis. 47 
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United States-Russia. 


In June 2013, the United States and Russia signed 
the first bilateral agreement to reduce the risk of con¬ 
flict in cyberspace through real-time communications 
about incidents of national security concern. 

A hotline on cyber incidents was established as 
one of the components in the existing Direct Secure 
Communication System between the White House 
and the Kremlin. The exchange of technical informa¬ 
tion between the U.S. Computer Emergency Response 
Team and its Russian counterpart is another impor¬ 
tant agreement that is the first part of a set of CBMs. 48 

Russia views the bilateral agreements between 
itself and the United States, concluded in person by 
Presidents Obama and Putin, as far more advanced 
and significant than agreements with the EU, and has 
gone as far as to describe the agreement as a "pact on 
electronic non-aggression." 49 

However, the agreement on information exchange 
was welcomed by both sides as a mechanism for re¬ 
moving elements of suspicion or doubt, important to 
improve trust that seemingly malicious activity is in 
fact benign, and to increase transparency, ensuring a 
full understanding of one another's perspectives on 
defense policies. 

United States-China. 

In September 2015, the United States and China 
came to a significant bilateral agreement on cyberse¬ 
curity. 50 While it was not the widely anticipated cyber 
arms control deal, an agreement was reached to abide 
by norms of behavior in cyberspace. At the time of this 
writing, these norms remain unspecified, but a senior 
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expert group is to be created in order to identify them, 
basing itself on the work done by the UNGGE. This 
would mean that norms set by the UNGGE could be 
implemented by two major cyber players in an ad¬ 
versarial relationship, which would constitute major 
progress toward international regulation. 

The United States and China also agreed that nei¬ 
ther country's government would conduct or know¬ 
ingly support cyber enabled theft of intellectual 
property, with the intent of providing competitive 
advantages to companies or commercial sectors. 

The timing of the agreement was significant, and 
relieved tension at a time when President Obama was 
preparing to impose sanctions against Chinese compa¬ 
nies accused of intellectual theft shortly before a visit 
to the United States by Chinese President Xi Jinping. 

The agreement also encompassed CBMs estab¬ 
lished through a "high-level joint dialogue mecha¬ 
nism on fighting cybercrime and related issues." 51 
MLA would be improved, where both sides agreed 
to cooperate with requests to investigate cybercrimes 
and provide updates on the status and results of 
those investigations, collect electronic evidence, and 
mitigate malicious cyberactivity emanating from their 
territory. A hotline for the escalation of issues will be 
opened, which will drastically improve trust between 
the two powers, providing a framework for trans¬ 
parency. 

Practical implementation appeared to follow swift¬ 
ly, when a small number of hackers were arrested in 
China at the request of the U.S. Government within 
the following week. 52 As of yet, however, there is no 
public indication that China has curtailed its cyber 
espionage programs. 
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This deal was also mirrored in a UK-China bilat¬ 
eral pact a month later, 53 and could be the basis for 
further bilateral agreements. 

Russia-China. 

In May 2015, Russia and China signed a bilateral 
agreement on cooperation in the field of international 
information security. 

This agreement was also dubbed a non-aggression 
pact, since both sides agreed to refrain from using cy¬ 
berattacks against each other, protecting each other's 
internal sovereignty in cyberspace. They agreed to 
respond jointly to technologies that may have a desta¬ 
bilizing effect on political and socio-economic life or 
interfere with the internal affairs of the state. 

In keeping with the title of the agreement and the 
security concerns of both states, the cyberthreats de¬ 
fined in the treaty are not just those that would be of 
concern to the EU and the United States, but they also 
include broadly defined threats such as the transmis¬ 
sion of information that could endanger the "societal- 
political and social-economic systems, and spiritual, 
moral and cultural environment of states." 54 

Russia and China, together with a number of Cen¬ 
tral Asian states, have also submitted a proposal on 
an international code of conduct for information secu¬ 
rity, updated from an original proposal in 2011, that is 
currently circulating in the UN to be voted on in the 
General Assembly. 55 

The involvement of other states in the proposal is 
indicative of the support Russia and China enjoy for 
their concept of information security. Russia offers 
a powerful incentive and argument to those states 
that share Russia's information security concerns and 
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wish to ensure that national security is appropriately 
protected against threats in the information domain. 
By comparison, the West's offering is nebulous and 
idealistic, and focuses mainly on a discussion of the 
benefits (many of them intangible) that the Internet 
can bring. Comparisons of these two different models 
provide a classic example of hard versus soft interests. 

United States-European Union (EU). 

Dialogue commitments have also been made be¬ 
tween the United States and the EU, the latest being at 
a security summit in March 2014. This dialogue pro¬ 
vides a forum for strategic consultations on areas in¬ 
cluding: international cyberspace developments; pro¬ 
motion and protection of human rights online; and, 
politico-military and international security issues, 
such as norms of behavior in cyberspace, cybersecuri¬ 
ty CBMs, and the application of existing international 
law and cybersecurity capacity building in third coun¬ 
tries. 56 

Internet Governance. 

Global Internet governance, the regulatory model 
that keeps the Internet operational, is a different topic 
from norms seeking, and is enacted in different fora. 
Governance depends on a multi-stakeholder model, 
while norms are developed on a state-to-state basis. 
The Internet is "owned" mostly by private organi¬ 
zations; its architecture comprises of intermediaries 
such as network operators, exchange points, search 
engines, hosting services, e-commerce platforms, and 
social media providers, 57 and it is these who contrib¬ 
ute strongly to governance models. 
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Furthermore, debate on governance models should 
not be confused with discussion of legislation on what 
can be done in cyberspace. Rather than hard law and 
regulatory enforcement, governance is accomplished 
by means of voluntary compliance with technical 
standards, codes of conduct, and industry best prac¬ 
tices. Nevertheless, the ideological dividing lines on 
how the Internet should be governed mirror those in 
discussions on how legislation should be made. 

The Internet is mostly regulated through intercon¬ 
nectedness and peering agreements among Internet 
service providers, with the most important interna¬ 
tional governing bodies being the Internet Corpora¬ 
tion for Assigned Names and Numbers (ICANN), and 
the International Telecommunication Union (ITU). 

The ITU is the UN agency for ICT and is a provider 
of ITU law. 58 An important political confrontation over 
Internet governance came when the ITU organized 
the World Conference on International Telecommuni¬ 
cations (WCIT) in Dubai in 2012, as mentioned earlier. 
The ITU was proposing new International Telecom¬ 
munications Regulations (ITR) that had not been re¬ 
viewed since 1988. These would have meant in effect 
that the Internet would suddenly be government led, 
under the regulatory framework of the ITU, and move 
away from a multi-stakeholder model. 59 As a result, a 
group of nations concerned about Internet freedom, 
and led by the United States, refused to sign the agree¬ 
ment on changes. 60 

At that point, the Internet was overseen by a loose 
grouping of organizations, mostly in the private sec¬ 
tor, rather than by governments. At least one, ICANN, 
was operated under a contract from the U.S. Govern¬ 
ment. The importance of ICANN stems from the or¬ 
ganization's work on the coordination of the Internet 
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systems of unique identifiers by coordination of IP 
addresses and the DNS, a hierarchical organization of 
namespace that is vital for the functioning of the Inter¬ 
net. This provided ammunition to those who claimed 
that the Internet was in fact run by the United States, 
so this arrangement was changed in 2014. 

In March 2014, the U.S. Department of Commerce 
announced its intent to transfer its stewardship role 
over certain functions that keep the Internet running, 
known collectively as the Internet Assigned Numbers 
Authority (IANA), to the global multi-stakeholder 
community. The move was internationally applaud¬ 
ed, as it addressed the contentious issue of U.S. con¬ 
trol over ICANN. An important condition for the tran¬ 
sition was that the control over IANA functions had 
to be exercised in a multi-stakeholder model, rather 
than a state-to-state model, and governments would 
not have ultimate decision-making authority. This re¬ 
moved the fear that the IANA transition would lead to 
a UN takeover. 61 NETMundial, hosted by Brazil, was 
the Global Multi-stakeholder Meeting on the Future 
of Internet Governance, where an outcome document 
was produced consolidating proposals for a roadmap 
on future Internet governance. Representatives from 
government, business, civil society, and academia 
were participants (actively present and remotely pres¬ 
ent) at this first of its kind multi-stakeholder meeting. 62 

Despite being due in September 2015, the IANA 
transition has still not occurred at the time of this writ¬ 
ing, and administrative preparations are ongoing. 63 

A key argument in favor of the multi-stakeholder 
model for Internet governance, and against gover¬ 
nance exercised only by states, is that this avoids mix¬ 
ing geopolitics and national preferences in with gover¬ 
nance on technical issues. As the United States argued 
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in Dubai in 2012, the Internet should not be included in 
a draft interstate treaty dealing with technical matters 
like connecting international telephone calls, because 
doing so would replace the existing, bottom-up form 
of Internet oversight with a government-led model 
and hence, directly threaten Internet freedoms. 64 

Russia takes a contrary view. While Russia has 
begun to say that it supports a multi-stakeholder ap¬ 
proach to Internet governance in principle, an impor¬ 
tant caveat is that this was with specific weight allo¬ 
cated to individual stakeholders. In critical questions, 
the state would have the right of veto, but other stake¬ 
holders would not. By contrast, Sarah Taylor, from the 
UK's Department of Culture Media and Sport, em¬ 
phasized in December 2014 that a multi-stakeholder 
model needs protection against any single dominating 
interest. According to Jean-Jacques Sahel of ICANN, 
the key phrase is "avoiding capture"; for this purpose, 
the model needs to be as balanced as possible. 

OUTLOOK, IMPLICATIONS AND POLICY 
RECOMMENDATIONS 

This Letort Paper has given a brief overview of the 
relevant moves toward establishing norms and the 
rule of law in cyberspace. Even though the evolution 
of law is slow, the cyber domain is changing fast, and 
a measured approach to establishing norms is essen¬ 
tial in order to ensure that they remain relevant in the 
longer term. 

Is There a Need for a New Treaty? 

The current trend of bilateral and regional imple¬ 
mentation of CBMs, norm setting, and threat defin¬ 
ing contributes to enhanced cybersecurity. However, 
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it does little to address fundamental mismatches of 
cybersecurity concepts between the Euro-Atlantic 
community and states such as Russia and China. 
While to some extent these can be addressed by the 
wide variations in interpretation of cyberthreats in the 
bilateral agreements between Russia and China, ver¬ 
sus the agreements made with Western powers, it re¬ 
mains the case that the conceptual divergence fosters 
misapprehension and miscommunication. 

In particular, the variation in interpretation of 
what constitutes hostile action in cyberspace gives rise 
to concern that a nation may consider itself to be in a 
state of hostilities with another, while that other is as 
yet unaware. 65 

Norms are the predecessors of an internationally 
agreed rule of law regime. Without universal norms, 
coming to an agreement on how to react to improper 
behavior is challenging. Therefore, the development 
of non-binding universal norms on appropriate be¬ 
havior, governing those principles that are universally 
agreed, is the first priority. The UNGGE as a consen¬ 
sus building organization has a key role to play in 
this task. 

Sovereignty and Rights. 

Rules and regulations arrived at by negotiation be¬ 
tween states can be abused by authoritarian regimes 
to suppress their own populations and deprive them 
of their privacy and other human rights. Setting obli¬ 
gations to follow international law also provides for 
state supervision and jurisdiction over domestic terri¬ 
tory that has the potential to promote the application 
of sovereignty principles over the Internet. Any even¬ 
tual international agreement must be drafted care- 
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fully with this in mind: that asking for more control 
over malicious activity may hand states the power to 
oppress citizens online. 

The perception by Russia, China, and like-minded 
states that unrestricted flows of information and opin¬ 
ions — especially through social media — are a threat to 
security, gives rise to continuing efforts to constrain 
freedom of expression online. Their efforts to regulate 
information security, and especially to persuade other 
nations to support their international initiatives, are a 
challenge to Internet freedoms. Broadly speaking, it 
is essential to continue to resist the current efforts by 
Russia, China, and others to introduce legislation that 
would enforce controls on content as well as on hostile 
code. However, this does not mean that it would be 
impossible to arrive at specific agreements or CBMs 
that apply to specific activities online that all sides 
concur are unacceptable. 

If it is important to the United States that freedom 
on the global web be protected, the United States needs 
to avoid both the fact and the appearance of constrain¬ 
ing Internet freedom domestically. This leads to imme¬ 
diate challenges when attempting to counter subver¬ 
sive and hostile campaigns online, especially through 
social media, originating from the Islamic State in Iraq 
and Syria (ISIS) and Russia. One key remedy is trans¬ 
parency. When action is taken to censor or suppress 
content online, then having publicly visible political 
oversight and review of the steps taken are essential. 

"Balkanization/ Splinternet." 

Allegations by Edward Snowden about the use of 
mass data collection by the United States, as well as 
their damage to U.S. and allied national security, has 
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also boosted the argument for sovereignty in cyber¬ 
space and the concept, embraced by Russia, China, 
and others, of "national information space." 

The European Court of Justice Decision in Septem¬ 
ber 2015 to end the "safe harbor" agreement sets an 
important precedent in this process. The lack of trust 
in U.S. companies and in the U.S. Government on the 
storage of European citizens' data has pushed Euro¬ 
pean countries to end an agreement with the United 
States on data storage. A German data protection 
agency already called for data localization, the stor¬ 
age of network data, and communications within the 
territory, and others will probably follow suit. 66 

While the decision has been presented as positive 
for EU citizens, it also provides a precedent for further 
Balkanization of the Internet. Sovereignty and control 
over cyberspace can now legitimately be striven after 
by governments with far less democratic overview. 67 

The move toward devolution from the global In¬ 
ternet is not universal. In Brazil, proposed legislation 
to force all network data to be stored on Brazilian ter¬ 
ritory was dropped after heavy protests. 68 Companies 
like Google complained they would have to make 
expensive investments in server centers on Brazil¬ 
ian territory, and there was a perceived danger that 
other corporations would avoid business in Brazil 
altogether because of the cost, inadvertently restrict¬ 
ing online freedom even more. The measures were too 
reminiscent of Brazil's recent authoritarian past, and 
were rejected. 

Russia, however, has no such constraints, and 
is taking the opportunity to put in place human se¬ 
curity measures and domestic legislation aimed at 
"preventing breaches in national information space." 
Data localization laws in Russia came into force on 
September 1, 2015. 
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Dealing with Cyber Threats. 

For any arm of the U.S. Government, the cur¬ 
rent state of online legislation — and the attitudes to 
it around the world —has direct implications for the 
range of cyberthreats that face the United States, and 
how they can be addressed. 

The approach of "trust but verify," which is the 
foundation of arms-control regimes in other domains, 
has virtually no applicability to cyberspace. Cyber 
threats include the capabilities of nonstate actors who 
are not bound by traditional diplomatic means of con¬ 
straint. Meanwhile, events in Ukraine have shown 
that even state actors like Russia no longer consider 
themselves bound by norms of behavior that have 
been taken for granted in the West for several decades. 

It is commonly held among legal experts working 
on the cyber domain that a catastrophic event is re¬ 
quired in order to crystallize the law. It is only possible 
to arrive at a definition of an "armed attack," and de¬ 
termine for sure whether retaliation and self-defense 
was justified, when such action has been taken, the 
international community has reviewed those actions, 
and determined if there was a breach of international 
law. 

In the meantime, in the current cyberthreat envi¬ 
ronment, acting based on trust alone would require a 
substantial leap of faith. There appears at present to be 
no substitute for additional insurance in the form of 
unarguably strong cyber capabilities, both defensive 
and offensive. 

The Tallinn Manual and the UNGGE consensus 
provide models for the application of international 
law to actions in cyberspace. However, it is vital to 
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remember that although they may be attractive to the 
United States and its allies, they are not agreed upon 
by the entire international community and hence they 
should not be considered in any way binding on cur¬ 
rent or potential adversaries, either state or especially 
nonstate. 

The approaches of key potential state adversaries 
to legitimation or prohibition of online activity pro¬ 
vides important clues to how they see this activity in 
terms of their own behaviors. The widely varying at¬ 
titudes displayed toward what is and is not legal and 
constrained in online behavior leads to a final vital 
point for the United States: That adversaries are fram¬ 
ing their cyber offensive potential in an entirely dif¬ 
ferent mental construct to that which applies in the 
United States and its Western allies. As demonstrated 
in Ukraine, the threat from Russia is an integrated one 
encompassing the whole of the information domain, 
as opposed to strictly technical interpretations of what 
constitutes cyber activity. It follows that considerable 
mental agility will continue to be required in order to 
plan for, counter, and respond to the very wide range 
of threats to U.S. security that state and nonstate ad¬ 
versaries can present using the Internet. 
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